Over the last few days, security mailing lists and news sites have started reporting about ‘hackers’ and the flaw in Windows Vista involving the voice recognition feature.
The flaw, if one could call it that, was tested and does indeed does work. George Ou, who blogs for ZDNet, said, "Yes you need to actually catch the user off-guard, and they would have had to turn on speech recognition at some point which then auto loads speech in Vista from that point on. This does not require user interaction other than clicking on a URL to visit a website and this does not trigger UAC security warnings.” If this was tested and it works, why are so many sources claiming foul and pointing out that the panic over this is unwarranted?
They claim foul because of all the steps involved to make this little trick work. The user has to enable the voice prompts. After that, the volume on the PC speakers must be turned up and the levels set so that commands are clear. The final step to ensure that it works is that the microphone on the computer must be connected and enabled. Three separate steps which require a lot of luck on the part of the malicious webmaster who is hiding special audio files to control your computer.
Microsoft is aware of the issue but gives it little credit for the same reasons mentioned. The UAC (User Access Control) will prevent serious harm, because a password is required for several core functions requested by the operator. At best, this is a seriously funny gag. Imagine someone with Vista that leaves the computer unlocked as they step away from the desk. You setup all the things needed and, as you talk to them, call out commands. Another gag would be to set up the required features, then email them a ‘funny’ audio file for them to play. Windows Vista Business Edition has this feature, and you can be sure that office pranks will go to a new level.
One opinion as to the reason this ‘hack’ started gaining so much attention is that it was discovered so soon after the release of Vista. The security of Vista is touted to be the strongest ever offered by Microsoft. As they made that statement, a huge red bulls-eye went up on the back of the operating system, and everyone is gunning to prove that the claim of “most secure ever” is false.
Microsoft is known for its constant battle with security. Recently a new 0-Day exploit involving Office Excel (2000, XP, 2003, 2004Mac) was released to the public, forcing Microsoft to publish yet another Security Advisory. This makes the fifth unpatched Office security issue, four of which come from Word. It’s that track record that many claim will prove that Vista isn’t as secure as it’s claimed to be.
Your Talkback on this Story